[libcamera-devel] [PATCH v2 14/17] v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf
Paul Elder
paul.elder at ideasonboard.com
Fri Jun 19 07:41:20 CEST 2020
There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.
Signed-off-by: Paul Elder <paul.elder at ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo at jmondi.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
---
No change in v2
---
src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
index 2723450..8396f58 100644
--- a/src/v4l2/v4l2_camera_proxy.cpp
+++ b/src/v4l2/v4l2_camera_proxy.cpp
@@ -540,6 +540,9 @@ int V4L2CameraProxy::vidioc_querybuf(V4L2CameraFile *cf, struct v4l2_buffer *arg
{
LOG(V4L2Compat, Debug) << "Servicing vidioc_querybuf fd = " << cf->efd();
+ if (arg->index >= bufferCount_)
+ return -EINVAL;
+
int ret = lock(cf);
if (ret < 0)
return ret;
@@ -560,6 +563,9 @@ int V4L2CameraProxy::vidioc_qbuf(V4L2CameraFile *cf, struct v4l2_buffer *arg)
LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf, index = "
<< arg->index << " fd = " << cf->efd();
+ if (arg->index >= bufferCount_)
+ return -EINVAL;
+
int ret = lock(cf);
if (ret < 0)
return ret;
@@ -586,6 +592,9 @@ int V4L2CameraProxy::vidioc_dqbuf(V4L2CameraFile *cf, struct v4l2_buffer *arg)
if (!vcam_->isRunning())
return -EINVAL;
+ if (arg->index >= bufferCount_)
+ return -EINVAL;
+
int ret = lock(cf);
if (ret < 0)
return ret;
--
2.27.0
More information about the libcamera-devel
mailing list